From 08ac11efcbe2f9472de2423d312f8f39cebb793c Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 12 Jan 2024 00:47:08 +0900 Subject: [PATCH 1/6] feat: added wild card and exact search in filter option #1240 --- Cargo.lock | 7 +++++++ Cargo.toml | 1 + src/timeline/search.rs | 19 +++++++++---------- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 54540434c..2ee9332de 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -833,6 +833,7 @@ dependencies = [ "terminal_size", "tokio", "ureq", + "wildmatch", "yaml-rust", ] @@ -2170,6 +2171,12 @@ version = "0.25.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" +[[package]] +name = "wildmatch" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "495ec47bf3c1345005f40724f0269362c8556cbc43aed0526ed44cae1d35fceb" + [[package]] name = "winapi" version = "0.3.9" diff --git a/Cargo.toml b/Cargo.toml index dc8a7e9e2..9682eea18 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -53,6 +53,7 @@ memchr = "2.*" num = "0.4.0" indexmap = "2.*" dialoguer = "*" +wildmatch = "2.*" [profile.dev] debug = 0 diff --git a/src/timeline/search.rs b/src/timeline/search.rs index ae3300e2e..25b741c2d 100644 --- a/src/timeline/search.rs +++ b/src/timeline/search.rs @@ -18,12 +18,12 @@ use csv::{QuoteStyle, WriterBuilder}; use downcast_rs::__std::process; use hashbrown::{HashMap, HashSet}; use itertools::Itertools; -use nested::Nested; use regex::Regex; use std::fs::File; use std::io::BufWriter; use std::path::PathBuf; use termcolor::{BufferWriter, Color, ColorChoice}; +use wildmatch::WildMatch; #[derive(Debug, Clone)] pub struct EventSearch { @@ -98,7 +98,7 @@ impl EventSearch { fn filter_record( &mut self, record: &EvtxRecordInfo, - filter_rule: &HashMap>, + filter_rule: &HashMap>, eventkey_alias: &EventKeyAliasConfig, ) -> bool { filter_rule.iter().all(|(k, v)| { @@ -109,10 +109,9 @@ impl EventSearch { ) .unwrap_or_else(|| "n/a".into()) .replace(['"', '\''], ""); - // aliasでマッチした場合はaliasに登録されていないフィールドを検索する必要がないためtrueを返す if v.iter() - .all(|search_target| utils::contains_str(&alias_target_val, search_target)) + .all(|search_target| search_target.matches(&alias_target_val)) { return true; } @@ -126,7 +125,7 @@ impl EventSearch { _ => CompactString::new("-"), }; v.iter() - .all(|search_target| utils::contains_str(&allfieldinfo, search_target)) + .all(|search_target| search_target.matches(&allfieldinfo)) }) } @@ -238,7 +237,7 @@ impl EventSearch { } /// filters からフィルタリング条件を作成する関数 -fn create_filter_rule(filters: &[String]) -> HashMap> { +fn create_filter_rule(filters: &[String]) -> HashMap> { filters .iter() .fold(HashMap::new(), |mut acc, filter_condition| { @@ -250,10 +249,10 @@ fn create_filter_rule(filters: &[String]) -> HashMap> { .unwrap_or(prefix_trim_condition); let condition = trimed_condition.split(':').map(|x| x.trim()).collect_vec(); if condition.len() != 1 { - let acc_val = acc - .entry(condition[0].to_string()) - .or_insert(Nested::::new()); - acc_val.push(condition[1..].join(":")); + let acc_val = acc.entry(condition[0].to_string()).or_insert(vec![]); + condition[1..] + .iter() + .for_each(|x| acc_val.push(WildMatch::new(x))); } acc }) From 4d2615668f9d7ba08f359462cc0a8ca0a84816ec Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 12 Jan 2024 00:58:41 +0900 Subject: [PATCH 2/6] docs(CHANGELOG): added next version changelog template --- CHANGELOG-Japanese.md | 18 ++++++++++++++++++ CHANGELOG.md | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 4c6cec71f..f94f6772c 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,5 +1,23 @@ # 変更点 +## 2.13.0 [2024/XX/XX] "XXX Release" + +**新機能:** + +- XXX + +**改善:** + +- XXX + +**バグ修正:** + +- XXX + +**その他:** + +- XXX + ## 2.12.0 [2023/12/24] "SECCON Christmas Release" **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 864db8066..58cbb0e5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,23 @@ # Changes +## 2.13.0 [2024/XX/XX] "XXX Release" + +**New Features:** + +- XXX + +**Enhancements:** + +- XXX + +**Bug Fixes:** + +- XXX + +**Other:** + +- XXX + ## 2.12.0 [2023/12/24] "SECCON Christmas Release" **Enhancements:** From 44dcddd18e762c65c78775647c357b72967d881d Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 12 Jan 2024 00:59:36 +0900 Subject: [PATCH 3/6] chore(Cargo): set next milestone version --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2ee9332de..d22cd92c2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -784,7 +784,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "2.12.0-dev" +version = "2.13.0-dev" dependencies = [ "aho-corasick", "base64", diff --git a/Cargo.toml b/Cargo.toml index 9682eea18..7d2e23436 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "2.12.0-dev" +version = "2.13.0-dev" repository = "https://github.com/Yamato-Security/hayabusa" authors = ["Yamato Security @SecurityYamato"] edition = "2021" From 224940c048847734cf8e9cd41548ae8bea7b803f Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 12 Jan 2024 01:03:17 +0900 Subject: [PATCH 4/6] docs(CHANGELOG): added #1240 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index f94f6772c..7f6b66e26 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -8,7 +8,7 @@ **改善:** -- XXX +- `search` コマンドのフィルタオプションを完全一致にするようにした。加えてフィルタオプションはワイルドカード対応をするようにした。 (#1240) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 58cbb0e5f..5bb2156af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ **Enhancements:** -- XXX +- adjusted `search` command's Filter option an exact match and wild card character. (#1240) (@hitenkoku) **Bug Fixes:** From cb451f7bac75dcc9f550739cbb81659d87bc70da Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 20 Jan 2024 08:28:35 +0900 Subject: [PATCH 5/6] update required rust ver --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 06329dd63..9a602cf52 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,7 +4,7 @@ version = "2.13.0-dev" repository = "https://github.com/Yamato-Security/hayabusa" authors = ["Yamato Security @SecurityYamato"] edition = "2021" -rust-version = "1.74.1" +rust-version = "1.75.0" include = ["src/**/*", "LICENSE.txt", "README.md", "CHANGELOG.md"] [dependencies] From 304f47520290b6776f9d57f6adf2d919eec386c4 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 20 Jan 2024 08:28:52 +0900 Subject: [PATCH 6/6] update displayed version --- src/detections/configs.rs | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 101e667dd..89495ad49 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -737,7 +737,7 @@ fn check_thread_number(config: &Config) -> Option { pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -747,7 +747,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 360 @@ -757,7 +757,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 383 @@ -767,7 +767,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 310 @@ -777,7 +777,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 420 @@ -787,7 +787,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 450 @@ -797,7 +797,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 470 @@ -807,7 +807,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 380 @@ -817,7 +817,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 451 @@ -835,7 +835,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -1656,7 +1656,7 @@ pub struct ComputerMetricsOption { #[derive(Parser, Clone, Debug)] #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", term_width = 400, disable_help_flag = true )]